Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6.
AnalysisAI
Onyx versions prior to 3.0.9, 3.1.6, and 3.2.6 expose an authorization bypass in the GET /chat/file/{file_id} endpoint that permits authenticated users to download any other user's files by directly accessing file UUIDs. The endpoint enforces authentication but lacks per-file ownership validation, allowing attackers with valid credentials to exfiltrate confidential documents and chat attachments belonging to other users system-wide. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Onyx implements a file-download endpoint that accepts a file UUID as a path parameter. The vulnerability stems from inadequate authorization enforcement-the application verifies that the requester is authenticated (PR:L in CVSS) but implements no access control list or ownership check before returning the requested file. This is a classic broken access control pattern (CWE-639: Authorization Bypass Through User-Controlled Key). The endpoint trusts the file UUID alone as sufficient authorization, failing to cross-reference the requesting user's identity against the file's owner before granting access. Since UUIDs, while cryptographically random, are often discoverable through social engineering, information disclosure, or enumeration, the barrier to exploitation is minimal once a valid session token is obtained.
RemediationAI
Vendor-released patches are available: upgrade to Onyx 3.0.9, 3.1.6, or 3.2.6 (matching your current major.minor version). These versions implement proper ownership validation on the GET /chat/file/{file_id} endpoint, ensuring authenticated users can only access files they own. If immediate patching is not possible, implement a temporary compensating control by restricting network access to the GET /chat/file endpoint at the reverse proxy or firewall level to trusted internal networks only, though this reduces usability for remote users. Additionally, audit file download logs to identify unauthorized access attempts using UUID enumeration patterns. Review user account credentials and consider rotating authentication tokens for all users if the system has been unpatched for an extended period, as this addresses the authentication prerequisite for exploitation. Consult the GitHub advisory at https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-vg3h-35f7-7w6r for deployment-specific guidance.
In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search p
NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cau
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a us
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter
Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. Rate
SQL injection in Onyx Chat Interface allows authenticated remote attackers to manipulate database queries via the genera
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary Ja
Onyx versions before 3.0.9, 3.1.6, and 3.2.6 permit authenticated users to terminate any other user's active chat sessio
An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. Rated high severity (CVSS 8.1), t
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28525